Kingsley,
The point of mirroring the claim in a resource which can be retrieved by de-referencing the URI the holder assigns themselves is so that you can be sure they have a reasonable degree of authority over that URI, and so can use it as an identifier for them. It doesn't matter whether that's an http: or https: URI, or some other kind (acct:, ldap:, whatever) Ã³ provided thereÃ­s an unambiguous function which can be handed that URI and will de-reference it to a resource which contains the mirrored claims.
If the resource youÃ­re fetching isnÃ­t de-referenced from the that identifier Ã³ i.e., it comes from somewhere else entirely, as you suggested would be the case (see quote below), then the claim over the URI isnÃ­t mirrored any more.
>> If I'm understanding correctly, you're saying (for example), that sIA might contain a URL,
>
> Yep!
>
> This reference (an Address) resolves to a profile resource bearing claims mirror.
>> while the sAN contains the URI of the certificate holder which appears within the document published at the sIA URL?
>
> Yep!
Thus, Peter might have:
sIA: <http://rdf-translator.appspot.com/parse?url=http%3A%2F%2Fyorkporc2.blogspot.com%2F&of=n3>
sAN: <http://yorkpc2.blogspot.com/#me>
(And the data at yorkpc2.blogspot.com might be in some random format, or might not even be published there at all Ã³ itÃ­s just used as a key by rdf-translator.appspot.com).
ThereÃ­s nothing wrong with this *per se* but youÃ­re changing the landscape somewhat: it reduces the scope of everything in the the resource to 'untrusted, unverified input' Ã³ itÃ­s just a self-asserted attribute exchange document, at which point thereÃ­s no point in verifying that the key matches any more, because it doesnÃ­t make a jot of difference to anything if it does. What you *canÃ­t* do any more is use the self-asserted identifier of the holder as any sort of confirmed identifier, because the claim isn't mirrored there Ã³ itÃ­s mirrored somewhere else entirely.
In the above example, Peter has no confirmed claim over <http://yorkpc2.blogspot.com/#me> because the data which would otherwise mirror that claim and confirm it is retrieved from <http://rdf-translator.appspot.com/parse?url=http%3A%2F%2Fyorkporc2.blogspot.com%2F&of=n3> without ever touching the resources retrieved when de-referencing the sAN URI.
At this point, the only piece of actual confirmed information you have (and so the only thing you can use as an identifier) is the public key itself, the content of the profile document is no different from presenting a form and asking the user to fill it in.
M.
--
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.